Priorities are a common parameter in applications. Examples are multiple. In support applications, priorities are used to define the urgency of the reported problem. When you configure softwares, priorities may help to re-order similar actions. In protocol specifications, priorities are also used to perform decisions (routing protocols are a good example) In short, priorities are everywhere!
Did you ever notice that the order of priorities is often depending on the application? Some developers use the priority 1 (one) as the highest while others as the lowest priority. In a given context, two identical rules with respective priorities of “10″ and “20″: Which one will be processed first? Often, you will have to refer to the documentation!
First example, the MX (“Mail eXchange”) in a domain zone. The MX record with the lower priority will be used first:
rootshell.be. 3600 IN MX 10 mail.rootshell.be.
rootshell.be. 3600 IN MX 20 mx1.nikita.cx.
rootshell.be. 3600 IN MX 300 spammers.go.away.
A second example? In the BGP4 protocol. At a given step, the route selection is performed also depending on a priority (called “weight” in this case).
“In the latter case the route selection process moves to the next tie breaker. While LOCAL_PREF is the first rule in the standard, once reachability of the NEXT_HOP is verified, Cisco and several other vendors first consider a decision factor called WEIGHT which is local to the router (ie not transmitted by BGP). The route with the highest WEIGHT is preferred“.
OTRS, a popular open source ticketing system, uses priorities from “1″ (lowest) to “5″ (highest).
In those three examples, we see that the priorities order is different. As everything is standardized in information technology, why not the definition of priorities?
I’m back from my daily visit to the FOSDEM. This two-days event organized in Brussels hit the 10th edition! Congratulations! I attended FOSDEM for several years and the success is continuously growing. This is good! It means that the interest in free software is growing too! Even better, like any similar event, it is an excellent place to meet “IRL” (“In Real Life“) your friends and the developers of your favorite applications or operating systems.
I joined the conference place around 9:00am. It was impressive to see so much geeks already converging to the same place in a foggy Sunday morning! My first selection in the huge-number of tracks was about “Linux distribution for the cloud” by Peter Eisentraut. Cloud computing remains a hot topic. Peter explained what is the cloud (and once again a new definition of the “cloud”!) and explained how Linux distributions could take advantage of it. Linux distributions are made to provide compilation of useful tools to the users. That’s also the goal of clouds. What are the implications of free software used in the cloud. The presentation was not as expected (“how to build a cloud service based on free software”), I was a bit disappointed.
The second talk was given by Marius Nuennerich. The topic was an “Introduction to FreeBSD“. FreeBSD is an operating system which offers nice features. I learned that many different big organizations like Yahoo!, bank, military organizations are using FreeBSD. Parts of the source code have been re-used in many commercial products (MacOS, Cisco, Juniper, …). The code is released under the BSD license and is so simple compared to other types of licenses! Lot of questions popped from the audiance regarding the license model and the discussions slided smoothly from a presentation of the operating system to something more “legal”. Time was out to deeply cover all the other nice features of FreeBSD like the jails and the file-system encryption. But the talk was instructive. I like the quote of Marius:
“You cannot escape from a FreeBSD jail! It’s like a … jail“
My next two tracks were much more popular and presented in the biggest room (“Janson”). Andrew Lewman presented the Tor project (“The Onion Router“). It is a well-known project which increases anonymity of users traffic on the Internet. Everybody may requires anonymity on the Internet: from the end-user to military infrastructure or human-rights defenders. The principle behind Tor was explained (routing packets through virtual circuits up to the end-node). There are also plenty of tools to make Tor easier to use (proxies, virtual machines, live CD, etc). As Tor protects the user anonymity, it’s difficult to information about the users. Anyway, a site (metrics.torproject.org) tries to gather some statistics.
Finally, my last track was performed by Andrew Tanenbaum himself. He spoke about MINIX, an operating system designed to be highly reliable, flexible, and secure. “Andy” is an excellent speaker and gave an presentation of his baby. He started with this quote:
“If God wanted software to be reliable, he wouldn’t have created Reset buttons“
This is so true! The MINIX fundamentals were reviewed and how it can provide this excellent reliability. I installed AmigaMINIX years ago and was happy to receive a prompt but only basic commands like ‘ls’, ‘cp’ worked. Now, the OS looks much more mature and has enough tools to start using it. To be investigated when I’ll have some free time (on my todo list).
And as usual, lot of stands with all your favorite flavors of operating systems and applications! The one of RepRap was impressive with their 3D printers in demo.
An excellent edition with a strong organization (mandatory to satisfy thousands of visitors during two days!) Some pictures of the event are available on Flicker and see you next year!
Yesterday, I received the e-mail below, forwarded by a friend. Usually, I don’t react on such e-mails (who do not receive daily PowerPoint files, jokes or funny messages in his mailbox?). But this time, it was quite realistic.
This is a letter sent by a Grandma to her bank. There are so realistic facts about the security procedures that I’ve to share it with you. Many allusions to methods used by financial institutions…
The original text was in French (original text here) and was translated in English (my apologize for the approximate translation of some sentences)
Dear Sir,
I would like to thank you for having refused my check that would have allowed me to pay the plumber last month. By my calculations, three nanoseconds elapsed between the presentation of the check and the arrival of the funds on my account. I refer, of course, to the automatic monthly deposit of my pension (which occurs, I must admit, for only eight years). I must also congratulate you for the debit of 30 EUR from my account for the inconvenience caused to your bank. This incident prompted me to review the way I’ll management my finances.
I noticed that whereas I personally answer your calls telephone and letters, I am confronted with the impersonal, demanding and programmed entity of your bank. Starting from today, I decided to deal only with a human person. The monthly mortgage loan will no longer be automatically transferred but will arrive via checks addressed in a confidential way to a designated employee who will be selected according to my own criteria. Be warned that any other person taking care of my letters will be considered as a violation of postal regulations.
You will find enclosed an application form that must be completed by the designated employee. It contains eight pages. I’m sorry, but this is the only way to learn personal details about your employee as the bank knows about me. There is no alternative. Please note that all pages about medical records must be countersigned by a notary, and the mandatory details of his/her financial situation (income, debts, assets and liabilities) must accompanied by relevant documents.
Then, at my convenience, I will issue a PIN code for your employee. He/she must use this code during each appointment. Unfortunate that code will not contain less than 28 digits but, again, this is based on the number of keys that I have to press to access your bank phone services. Let me develop this procedure.
When you call me, press the buttons as follows: Immediately after dialing the number, please press star (*) to select your language.
Then 1 for an appointment with me.
The 2 for questions related to late payments.
The 3 to transfer the call to the living room.
The 4 to transfer the call to the bedroom.
The 5 to transfer the call to the toilet.
The 6 to forward the call to my mobile if I am not at home.
The 7 to leave a message on my PC. A password will be required. This password will be communicated at a later date to the authorized person mentioned above.
The 8 to return to the main menu and listen to new options.
The 9 to any generic question or complaint. There are risks to be put on hold.
The 10, again to select the language. This may increase the waiting time but relaxing music will be played during this time.
Regrettably, but again following your example, additional charges will be levied to cover the installation of equipment required by this new procedure. May I wish you a happy, albeit very slightly less prosperous new year?
ixquick.com is a search engine amongst lot of others. But it claims to protect the visitors by keeping no trace of the search queries nor any other sensitive information.
More classical search engines do not hesitate to collect and store information about you. They also claim that those data are used to offer you more accurate search results. In fact, they are also used to build your profile and to better choose the targets (“you”) of marketing campaigns.
Surfing the web anonymously can also be interesting when your computer is connected to an hostile environment. And, after all, increasing your privacy is always good.
For a few days, ixquick offers a new service to increase the privacy of their visitors: an anonymous proxy! A new button labeled “Proxy” is available below the search results:
(Click to enlarge)
If you click on this link, you will access to web site via the ixquick anonymous proxy. The proxy will connect to the remote site, grab the page and display it to you. Note that all the hyper links present in the grabbed page are rewritten to also be access using the proxy (only for links on the same site). At the moment, only the HTTP GET method is available, it’s not possible to submit forms (the proxy will warn you and ask you if you want to submit the data using a direct connection).
I tested this proxy against my blog and saw requests coming from the IP address 213.144.235.198:
Funny, the user-agents are changing randomly. I detected the following ones:
"Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.0.3) Gecko/2008092416 Firefox/3.0.3"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; de) Gecko/20091221 Firefox/3.5.7"
"Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US) Gecko/20091221 Firefox/3.5.7 GTB7.0"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; de) Gecko/20100115 Firefox/3.6"
"Mozilla/5.0 (Windows; U; Windows NT 6.0; de) Gecko/20091221 Firefox/3.5.7"
"Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1)"
The ixquick proxy is slower than a direct connection (you will be warned about this problem) but it’s a good alternative to protect your privacy. Finally, even if ixquick announces that no users activity are recorded, there is not way to verify this, use their services carefully. They’re located in the Netherlands and a debate about a Data Retention Act is ongoing with the local ISPs!
I’m back from the last OWASP (organized together with ISSA) Belgium Chapter meeting. As usual, good times with friends from the Belgium Security landscape . Two topics were covered today. First GreenSQL, a database firewall, then an overview of the mobile malwares by Mikko Hypponen.
Almost one year to the day, I wrote a blog post about GreenSQL. Yuli Stremovsky, VP of Research and Development, was invited in Belgium to present his solution. Yuli first reviewed some common facts to explain why products like GreenSQL are important in today’s infrastructure. Databases are used everywhere and accessible online via web sites. Some common problems were covered (like SQL injection) – nothing new – but a solution like GreenSQL could be interesting in some cases.
GreenSQL acts as a proxy: before passing the SQL queries to the database server, several checks are performed and unexpected requests are blocked. Unfortunately, the product comes “empty” and the administrator has to define which queries will be accepted. The default rule is “deny all” and dangerous commands like “show processes” are also denied. As suggested by people in the room, some “set of queries” for common web applications (Jumla, Wordpress, …) could be welcome to not reinvent the wheel.
I had an interesting discussion with Yuli: It could be interesting to export the events generated by GreenSQL to a third party system such as a log management solution. Another nice feature could be to filter the data sent back to the client (some kind of “DLP” module). Important remark: Using GreenSQL does not prevent developers to stay aware of security! Relying on GreenSQL only is a fail!
After a short break, Mikko Hypponen, Chief Research Officer for F-Secure, presented the situation of the malware lanscape in the mobile world and what can we expect in a (near) future. Mikko is a great speaker and gave a excellent presentation. He reviewed the story of malwares on mobile phones. Compared to common environments like Windows, there is “only” 500 known viruses targeting our mobile phone (interesting to know: Symbian is the top-target).
The evolution of mobile malwares follows the same way as on our PC’s. First they were not able to spread rapidly (the Bluetooth covers only a limited area) and had limited impacts. Today, the malwares are developed to stealth money! Mikko gave more details about an attack targeting mijn.ing.nl (web-banking site). Other malwares can send text messages or call high-rate phone numbers.Not surprising, lot of malwares hit the users due by forcing them to perform unsafe actions or displaying rogue informations. Nothing new, the human factor is the major problem. And what about the future? Mikko predicts: more malwares, mobile botnets, drive-by-exploits, rogue dialers and, of course, spam bots.
This was an excellent meeting with great topics. Lot of people were present due to the dual-organization OWASP-ISSA. See you next time!
The 2010 edition of the Data Privacy Day will be held on the January, 28th. This initiative has a dedicated website: dataprivacyday2010.org. The goal is to create more awareness about your online privacy:
“Data Privacy Day is an international celebration of the dignity of the individual expressed through personal information. In this networked world, in which we are thoroughly digitized, with our identities, locations, actions, purchases, associations, movements, and histories stored as so many bits and bytes, we have to ask – who is collecting all of this – what are they doing with it – with whom are they sharing it? Most of all, individuals are asking ‘How can I protect my information from being misused?’ These are reasonable questions to ask – we should all want to know the answers.”
If the site dataprivacyday2010.org focuses mainly on the United States, there are (fortunately) other initiatives like the one of the European Commission with their own web site dataprotectionday.eu. A big contest was organized across Europe targeting 15-19 students. Participants were invited to create and submit animations on the theme of “Privacy is a Human Right – Treat it with care”. This contest was supported, amongst others, by the Vrije Universiteit Brussels and the Erasmushogeschool Brussels. An event will close the contest in Brussels on the 28th of January at the European Parliament. Here is the promotional video:
The video gallery gives you access to all submitted videos. And you? What will you do on the 28th of January to increase users awareness?
Back from the first ISSA Belgium Chapter Meeting of 2010. Today’s topic was “Introduction to OSSEC : Log Analysis and Host Intrusion Detection“. A very interesting topic for me. First because I’m involved in lot of SIEM projects. But especially because Wim Remes, the speaker, is a friend of mine.
Wim is a fan of OSSEC. This open-source tool is defined on the web site as “an Open Source Host-based Intrusion Detection System. It performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response.“.
Wim’s choice was to split his talk in two big sections. First, a theoretical part, where he explained to the audience why a good log management solution is a must-have for all organizations (must they have to be compliant or not). Then, he dove into the tool and demonstrated via examples the power of OSSEC. The choice of two distinguished sections was the right one: everybody was able to understand the product (managers as executives).
Before this meeting, I had a very limited knowledge of OSSEC. For me, it was “just” an HIDS (“Host-based Intrusion Detection System). But it can perform much more interesting things! Using simple configuration files, it’s possible to setup basic events correlation. Example:
<rule id=”100016″ frequency=”4″ level=”10″ timeframe=”180″>
<if_matched_sid>100015</if_matched_sid>
<same_source_ip/>
<description>Multiple snort alerts with the watched ids</description>
</rule>
OSSEC is certainly not as performant as a true SIEM solution. It does not integrate retention policies for events, it does not collect events from lot of devices but, with the help of other tools, it’s possible to start an interesting log management solution and for an unbeatable price. Example: the integration of OSSEC & Splunk. And once you learned how to manage your events, why not switch to a real SIEM product?
Given the high number of questions asked during and after the presentation, it was really a nice topic! Well done Wim! I suppose that the slides will be available on SlideShare soon.
There was an interesting post on the diary page of isc.sans.org yesterday: Some readers asked why ISC did not switch the InfoCon status to yellow due to the recent IE 0-day exploit. The on-duty ISC handler explained the situation and why they decided to stay “Green”. The following question popped up out of my mind: “What’s the real value of threat levels? Which one can we trust?”
The Internet Storm Center (“ISC”) is not the only organization to provide a “Security Threat Level”. There are other organizations like McAfee, Symantec, ISS, TrendMicro, etc. To have a good overview of the threat level amongst them, I often use the Threat Level Aggregator provided by CERTstation.com. Take the time to visit the website and you’ll immediately understand the problem:
(Click to enlarge)
From the height aggregated services:
One is “critical”,
Five are “elevated”,
And two are “low”.
If you’re not a security professional and visit this page, how will you understand the content? Am I in danger or am I safe when I use my computer? Do they monitor the same stuff? Worst, it can be disturbing for the management: why don’t the admins take action in such “crisis” situation?
My first concern is the “independence”. Some of companies providing a threat level indicator do business within the security landscape (example: they sell anti-virus software). It’s only my point of view but I prefer to trust an independent organization. Second, do not assume all information provided. A new zero-day exploit facing an application used on your network may have a smaller surface attack depending on your configuration and practices.
It’s important to have a clear view of:
the software and hardware components used in your environment (model, version, patches),
how they are used and configured (change management).
A good example? I remember the case of ProFTPd in the beginning of 2009. This popular FTP server was vulnerable to an authentication bypass but… only when configured with a MySQL backend! There was a debate inside my company about the severity of this exploit. In fact, no customer was using the vulnerable authentication method!
When a new security issue is disclosed, don’t raise the red flag immediately. Take some take to deeply analyze the facts and detect potential risks that can affect the business. It may also happen in the other way: a low vulnerability may have a bigger impact inside your organization. Take care!
Data leakage is a major risk for many organizations today. As more and more data are used in a digital format, it’s easy to copy them or send them outside the security perimeter. Leaked data can have a major impact on the business (loss of revenue, loss of confidentiality or loss of credibility – customers, shareholders or media).
A common vector of data leak is the web traffic the “evil” port 80! Every day, we read news about mis-configured web sites which allow access to unprotected resources or made available by hackers (once on the web server, they can be easily retrieved). Continue reading Adding Data Leakage Protection into Apache
Passwords are weak! It’s a not a breaking news. But it’s impossible to get rid of passwords today. There are tips to make them stronger. Classic recommendations are:
Use a mix of letters and numbers,
Use a mix of uppercase and lowercase characters,
Use punctuation (special) characters,
Do not use common words or personal details
blah… blah… blah….
But adding some physical restriction could be a good idea! Do you think the following passwords are so strong as they look like?
12dfghjkl90
wqa12zsx
&锑(§
;ki!çol:
!@#$rewq
Check your keyboard layouts… (some are based on qwerty keyboard others on azery). Stay away from your keyboard layout. It’s quite easy for the shoulder surfer to look over your shoulder to get your password. If he get only the first characters, the remaining one will be easily guessed based on the keyboard layout.
. Two topics were covered today. First 
